Customers want “audit-proof” authorizations, but what exactly does that mean? What exactly do auditors scrutinize and which authorizations are classified as particularly critical? We’ll find out today.
You’re probably familiar with the situation: you join a new company and are asked to optimize SAP authorizations. If you want to know exactly what is meant by this, you are told: “The auditors are coming. We need audit-proof authorizations!” So let’s take a closer look at how you can approach your new assignment.
Depending on how large your system is, how many users and roles are used and whether additional external software solutions are in use, the analysis alone can take a lot of time. Roughly speaking, you need to find out whether critical authorizations or combinations of authorizations are assigned that are not justified by an authorization concept and/or mitigations.
Use of analysis tools
The analysis of authorizations can become a complex problem if, for example, you have a large number of SAP systems/clients in use. Internal SAP tools such as SUIM, QuickViewer or the RSUSR_008_009_NEW report are useful for analyzing the assigned authorizations. However, these tools are often time-consuming and only offer a superficial analysis.
In a complex system landscape, it may therefore be necessary to use additional (external) solutions. Tools such as SAP Access Control work with preventive controls. This means that they check whether critical authorizations or authorization combinations (SoD conflicts) arise before authorizations are assigned.
Large companies should rely on preventive controls to prevent critical authorizations before they are granted. For cost reasons, smaller and medium-sized companies can rely more on detective controls, in which the authorizations granted are checked retrospectively.
Establish security checks
Regelmäßige Security Checks sind nicht allein Ihre Aufgabe als Berechtiger oder Berechtigerin. Aber um sicherzustellen, dass die Berechtigungen im SAP-System den aktuellen Sicherheitsanforderungen entsprechen, sollten sie mindestens einmal im Quartal durchgeführt werden. Sie umfassen zum Beispiel:
- Check active users: Make sure that only current employees have access to the system.
- Analyze the assigned roles: Check whether the assigned roles correspond to the current tasks and responsibilities of the users.
- Check the system settings: Ensure that the system settings comply with the security guidelines and that no unauthorized changes have been made (usually not an authorization issue).
Important checkpoints for audit-proof authorizations
Regular security checks are usually one of the points that auditors examine. In addition, they often focus on these critical areas within SAP authorizations:
- SAP_ALL / SAP_NEW: These profiles grant comprehensive administrator rights and are often checked for their use. Auditors search for users to whom these profiles are assigned.
- S_TABU_DIS / S_TABU_NAM: These authorization objects allow access to and modification of tables. Auditors check which users have these authorizations and whether they are necessary (should be regulated and justified in the authorization concept).
- SP01 (manage spool requests/print requests): This transaction allows users to view and manage print jobs. This is a data protection problem – especially if users are also allowed to access external spools.
- Logging and monitoring: All activities should be fully logged and regularly reviewed to prevent misuse and ensure compliance.
Create audit-proof authorizations
This gives you an initial entry point for generating audit-proof authorizations: SAP_ALL and SAP_NEW must be withdrawn and replaced with appropriate functional single roles, the table and spool authorizations must be checked and restricted if necessary.
Use authorization concept
At this point, you can ideally fall back on a detailed and up-to-date authorization concept. This should regulate how to deal with potentially critical authorizations:
- Which roles contain critical authorizations and why?
For certain activities, users need authorizations to manage tables and spool requests. Even if these are classified as critical, you cannot simply withdraw them across the board. At best, the authorization concept regulates in which roles these authorizations are permitted, to which user group they are assigned and who has assumed the risk.
- Which SoD conflicts should be avoided?
Segregation of Duty (SoD) refers to the dual control principle. In concrete terms, it means that users may not have certain authorizations (such as placing orders and approving orders) in combination. SoDs are essentially a compliance issue. Which authorization combinations are considered critical varies from company to company and should be regulated in the authorization concept. - Are there users who are deliberately “over-authorized”?
This involves key users, for example, but also emergency users. The latter are often authorized with SAP_ALL, for example. As this will always be noted as critical, the concept should contain a clear regulation as to why which users have extensive authorizations (and which control mechanisms are used for protection).
Audit-proof authorizations: Minimum principle
You now have an overview of all roles that contain critical authorizations and have compared these with the regulations from the authorization concept. The delta from these two analyses must now be corrected in order to create audit-proof authorizations.
If necessary, create new roles or adjust existing roles so that the critical authorizations that are not included in the concept are removed. Proceed as usual according to the minimum principle. This means that users should only receive the authorizations that they absolutely need for their work. This reduces the risk of misuse and increases the security of the system. The following points should be observed when assigning authorizations:
- Strict adherence to the minimum principle: Assign only the most necessary authorizations and regularly check whether these are still required.
- Consideration of requirements and regulations: Ensure that the assignment of authorizations complies with legal regulations and company guidelines. In addition to industry-specific rules, compliance and data protection are particularly important here.
Documentation
Once all authorization adjustments have been made, don’t forget the documentation! Update the authorization concept and all relevant applicable documents. The documentation should contain all processes and guidelines for assigning and monitoring authorizations. This documentation is usually also made available to the auditors and must therefore be up to date.
Building a role for auditors
Almost done. There is still one task ahead of you before the auditors can arrive: You need to build a role for the auditors. You can copy the corresponding SAP standard role and adapt it to your company’s requirements.
Here too, make sure you only assign the necessary authorizations. A banal example: an auditor does not need access to HR data, but usually does need access to FI data. Above all, however, make sure that you restrict the role to display authorizations as far as possible.
Also ensure that the assignment of the role is limited to the audit period. In other words, remove the role again afterwards and/or deactivate the user for the auditor.